Written by Thomas Boué for Computer Weekly:
Inconsistent approaches to cyber security across Europe are undermining attempts to harmonise policy and preparedness in the EU
Bolstering cyber security is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we communicate, create and solve problems, it has also introduced risks that must be managed.
European officials, including representatives from the UK, are closing in on negotiations for an EU Network and Information Security (NIS) Directive, which is the EU’s first attempt at crafting cyber security legislation.
The NIS Directive is aimed at harmonising cyber security laws and improving pan-European co-ordination on cyber security incidents. This is no small feat when brokering an agreement among 28 countries. A recent analysis from the Business Software Alliance (BSA) charts just how big a task officials have before them.
The BSA EU Cyber Security Dashboard examines national cyber security laws and policies across the EU, and finds an unhelpful patchwork exists when it comes to cyber preparedness. While some countries have strong cyber security legal frameworks – the UK, Germany and Estonia, for example – others still have much work to do.
There are also considerable discrepancies between countries’ operational capabilities when it comes to cyber threats. The result is gaps and fragmentation that put the entire European market at risk.
Encouragingly, most countries recognise cyber security should be a national priority, with a particular focus on ensuring the cyber resilience of critical infrastructure. Truly critical services, such as transport, energy and banking, are where disruption from cyber incidents could do the most harm.
Yet, more than half of EU member states have yet to go through the process of assessing and establishing priorities for providers of critical services and infrastructure.
Lack of co-operation
Among other gaps the report highlights is a lack of co-operation between governments and the private sector on cyber security. This issue was similarly called out by US president Barack Obama in February 2015, when he signed an executive order aimed at encouraging better information sharing between US public and private sectors about cyber attacks.
But there are also worrying developments around the world, as some governments use cyber security as justification for protectionist rules that reduce choice and undermine cyber protections.
Policymakers should avoid country-specific cyber security standards, obligations to disclose sensitive information, such as source code or encryption keys, data localisation requirements, or preferences for indigenous providers, among other unhelpful policies. Such policies undercut cyber security rather than improving it. They also impose unfair market access barriers on global producers and service providers, whether intended or not.
As the UK and other EU member states attempt to complete work on the NIS Directive and agree on common language with the European Parliament and the European Commission over the coming months, harmonisation should be top of mind.
The aim of the directive should be to establish a foundation of cyber security preparedness, with harmonised rules grounded in a risk-based approach and focused on providers of truly critical infrastructure and services.
Cyber threats take no notice of national borders. The sooner we raise the level of cyber resilience across all EU member states – particularly for Europe’s most critical infrastructure – the closer we’ll be to securing our governments, citizens and businesses against malicious cyber attacks. We’re much stronger if we’re in it together.